tag:blogger.com,1999:blog-6705890607813258482024-02-02T20:09:35.193+01:00Marcel Winandy's Research BlogA personal blog on computer security and trusted computing researchMarcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.comBlogger26125tag:blogger.com,1999:blog-670589060781325848.post-15632264920888674892012-10-25T23:30:00.000+02:002014-01-16T15:15:47.842+01:00Applying a Security Kernel Framework to Smart Meter GatewaysThis is the title of a paper I wrote together with Michael Gröne, and which I presented at <a href="http://www.revolution-events.com/emails/ISSE2012Programme.pdf">ISSE 2012</a>. As part of my work at Sirrix we developed this security architecture for smart meter gateways and leveraged earlier work on security architectures for distributed IT systems, as we did in the EMSCB and OpenTC projects, i.e., building on the Turaya security framework.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgqWQcAtD9cfVoM-m31EKJGZ4k69IXPiMo1u0gwOdjnebMqF_T1-fpu2nyz1ztyvwN2lUQ92IkB9ECy5TRT3rwe2XtwkvD_Q2cSJ6YtlH7LQ5zwyYEJqQBh9ZYkq7B0-xUUX0OAj-42d26/s1600/SMGW-overview.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgqWQcAtD9cfVoM-m31EKJGZ4k69IXPiMo1u0gwOdjnebMqF_T1-fpu2nyz1ztyvwN2lUQ92IkB9ECy5TRT3rwe2XtwkvD_Q2cSJ6YtlH7LQ5zwyYEJqQBh9ZYkq7B0-xUUX0OAj-42d26/s400/SMGW-overview.png" /></a></div><br />
Smart grids are a heavily discussed topic in the European Union and many other countries. Smart Meter Systems are going to be deployed worldwide. However, due to their complexity and interconnectivity, they have to deal with strict security and privacy requirements. As a result, German regulatory bodies decided a proactive approach and developed a protection profile for Common Criteria evaluation, i.e., specifying explicitly security requirements for gateway components. In this paper, we describe the challenges and requirements that have to be fulfilled to build a smart meter gateway according to the BSI protection profile in Germany. Moreover, we present and discuss a modular secu-rity framework approach that can be used to realize such gateways in order to fulfill the requirements of the protection profile. This security framework is based on a security kernel approach that has been developed within various other projects. The proposed security kernel framework offers a solution to meet these security requirements while keeping the architecture modular and flexible to be used for other implementations as well.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjR-E2HPflF3L2ZPIAWiL4zOZqia-9ZcvM22em4mg4xydnNze36cb2_6QDKejs3H9hDxe9uyHnyOMOSMz802Bp2mF3pZzNsBDyARMJW26W_EJ5AlyoDaGEDQfgajBFDcRLU2GW_WwdOXzXy/s1600/SMGW-SecArch.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjR-E2HPflF3L2ZPIAWiL4zOZqia-9ZcvM22em4mg4xydnNze36cb2_6QDKejs3H9hDxe9uyHnyOMOSMz802Bp2mF3pZzNsBDyARMJW26W_EJ5AlyoDaGEDQfgajBFDcRLU2GW_WwdOXzXy/s400/SMGW-SecArch.png" /></a></div><br />
The figure above shows the architecture of the approach. A key feature of the security kernel framework is that it allows executing isolated application domains on top of it. Applications belonging to one domain can communicate freely with each other. A communication to other domains is prevented by default. If communication between domains (or to external systems) should be allowed, then this must be stated in the security policy of the system. In the instantiation of our framework for the smart meter gateway, we isolate the execution of all services that are used to realize the logical functions of the gateway. In particular, we de- fine four security domains, one for each of the logical main functions, and in addition one se- curity domain for the basic services of our security kernel. As other applications might be in- troduces later, we can define further security domains to separate them from the main logical functions and the basic security services. As one possible instantiation of the framework, we use type enforcement mechanism to provide mandatory access control and labeling of all data and network connections. This is enhanced by additional components (security services) that control all incoming and outgoing network connections and those that enforce the information flow control of the software com- ponents within the gateway.<br />
<br />
More information: [<a href="http://de.slideshare.net/mwinandy/applying-a-security-kernel-framework-to-smart-meter-gateways">Slides</a>]Marcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.com0tag:blogger.com,1999:blog-670589060781325848.post-80109656936452769762012-01-29T23:00:00.000+01:002014-01-16T00:30:51.217+01:00Flexible Patient-Controlled Security for Electronic Health RecordsThis is a paper I wrote together with Thomas Hupperich, Hans Löhr, and Ahmad-Reza Sadeghi. I presented a poster on it at the 2nd ACM SIGHIT International Health Informatics Symposium (IHI 2012) in Florida, USA. In this paper we present a new security architecture for Electronic Health Records (EHR) systems in which we let the patients control the confidentiality of their EHR data in an easy an flexible way. Existing approaches to protect the privacy of EHRs are either insufficient with respect to strict privacy laws or they are too restrictive in their usage. For example, smartcard-based encryption systems require the patient to be always present to authorize access to medical records. In our approach, we propose a security architecture for EHR infrastructures that provides more flexibility but retains the security of patient-controlled encryption. In our proposal patients are able to authorize access to their records remotely (e.g. via phone) and time-independent for later processing by the physician. The security of our approach relies on modern cryptographic schemes, in particular Attribute-Based Encryption, and their incorporation into an EHR infrastructure.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbefxth_gaOqSudr7gPCvQEgSwxf7PvQ0htkPt5reb-2uUUFeR6r-lI8RH2DoPwSQeWi8FlOkrm6CKuRPZc-Ysm3DGJx7t7yOixbU9DVnE6VsKUDhLfN6oXSL7U04RQxDnGKZ8AQuZpfg_/s1600/flexsec-ehr-architecture.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbefxth_gaOqSudr7gPCvQEgSwxf7PvQ0htkPt5reb-2uUUFeR6r-lI8RH2DoPwSQeWi8FlOkrm6CKuRPZc-Ysm3DGJx7t7yOixbU9DVnE6VsKUDhLfN6oXSL7U04RQxDnGKZ8AQuZpfg_/s400/flexsec-ehr-architecture.png" /></a></div><br />
The key idea of our approach is to avoid the use of smartcards as a direct input for encrypting and decrypting EHRs. Before medical data is to be stored on an EHR server, the patient provides his smartcard only to generate a transac- tion code (TAC) which will be used as authorization secret. The encryption key is only based on the TAC and the pa- tient’s identity. When the EHR is to be read again, the patient gives the TAC to the health professional who needs to access the EHR. The novelty in this approach is that pa- tients do not need to be present with their smartcards for decryption, but can provide the TAC via, e.g., phone.<br />
<br />
More information: [<a href="http://www.marcel-winandy.de/papers/flexsec-ehr-ihi2012.pdf">Paper</a>]<br />
Marcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.com0tag:blogger.com,1999:blog-670589060781325848.post-77826166394352819332011-10-17T22:00:00.000+02:002014-01-15T19:28:51.605+01:00Trusted Virtual Domains on OKL4: Secure Information Sharing on SmartphonesThis is the title of a paper I have written together with Lucas Davi, Alexandra Dmitrienko and Christoph Kowalski, and it was presented at <a href="http://www.cs.utsa.edu/~acmstc/stc2011/">ACM STC 2011</a>. It is on of our first attempts to bring the idea of Trusted Virtual Domains (TVD) as a security model to smartphones. Since smartphones are often used both for private and business purposes, it is crucial to separate the data and applications of these different security domains.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJBDdsCAV3RzWfBCPnZN7nEAxx7ACJy2e9Bmui-tQBmuq3o_OB5D6_FjEfHCCm2z8rx5cXq67nBzm6uRhNqIgb_xrn20Phw2NVCB01Cti8bVdxk4a_mCJmM7r4uqyOFVvwNEsyo5Q40vu9/s1600/ArchitectureOKL4-TVD.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJBDdsCAV3RzWfBCPnZN7nEAxx7ACJy2e9Bmui-tQBmuq3o_OB5D6_FjEfHCCm2z8rx5cXq67nBzm6uRhNqIgb_xrn20Phw2NVCB01Cti8bVdxk4a_mCJmM7r4uqyOFVvwNEsyo5Q40vu9/s400/ArchitectureOKL4-TVD.png" /></a></div><br />
In the paper we present the design and implementation of the TVD security architecture for smartphones. Therefore, we have implemented a TVD framework on top of the OKL4 microkernel, which provides the basic isolation properties that are necessary to run different execution environments isolated from each other on the same device. As execution environments we use instances of the Android operating system. Essentially, our approach is (to the best of our knowledge) the first realization of the TVD policy enforcement for Android. In particular, we present the design and implementation of the TVD framework on top of the OKL4 microkernel, and we support to run Android operating system instances and Android applications in isolated environments. Moreover, we have developed a policy mapping tool that translates the general TVD policy rules to specific security mechanisms of the OKL4 kernel.<br />
<br />
More information: <a href="http://www.marcel-winandy.de/papers/okl4-tvd-stc2011.pdf">[Paper]</a>Marcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.com0tag:blogger.com,1999:blog-670589060781325848.post-37784391354324812572011-07-01T21:00:00.000+02:002014-01-16T15:24:02.356+01:00Uni-directional Trusted Path (UTP): Transaction Confirmation on Just One DeviceThis is the title of a paper I have written together with Atanas Filyanov, Jonathan M. McCune, and Ahmad-Reza Sadeghi. It was published and presented at <a href="http://2011.dsn.org">DSN 2011</a>. In this paper we address the question whether a trusted path from a system to a user has to be bidirectional for all use cases, i.e., authenticating the system to the user and authenticating the user to the system. The answer is no, there are use cases that allow a uni-directional trusted path (UTP), just from the user to the system. We identified use cases such as transaction confirmation in online purchases or CAPTCHAs as possible applications. <br />
<br />
Essentially, our approach allows users to confirm a transaction without the need to having them know that the application they are interacting with is actually trustworthy or not. Recent hardware offers compelling features for remote attestation and isolated code execution, however, these mechanisms are not widely used in deployed systems to date. We show how to leverage these mechanisms to establish a "one-way" trusted path allowing service providers to gain assurance that users' transactions were indeed submitted by a human operating the computer, instead of by malware such as transaction generators.<br />
<br />
Based on the concept of a uni-directional trusted path, we architect a trusted confirmation and optionally authentication agent that executes in CPU-provided isolation. The trusted computing base (TCB) of the trusted agent is relatively small compared to prior works (a few thousand lines of code), and remains compatible with users' existing operating system and application environments. The following picture shows the high-level design of UTP.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJXX4HkYQBlEQVzqxD5asC4ikgo0pKvaBtjNhUBWse_SHmLLDFWd8kx0c7fzzJZd4wjA677zon0E0SGytp2dc_3nUUion4nc_V9eERCTnDs0GPQpGiIC1Icnpje2rKAJ5Cs11SCBCrr1Ly/s1600/utp-approach.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJXX4HkYQBlEQVzqxD5asC4ikgo0pKvaBtjNhUBWse_SHmLLDFWd8kx0c7fzzJZd4wjA677zon0E0SGytp2dc_3nUUion4nc_V9eERCTnDs0GPQpGiIC1Icnpje2rKAJ5Cs11SCBCrr1Ly/s400/utp-approach.png" /></a></div><br />
When the client requests an action from the server that requires a confirmation of the user's intent, the server establishes the uni-directional trusted path by sending a message to the client (and a random nonce for the purpose of preventing replay attacks). The (untrusted) client program invokes the execution of the UTP Agent in the CPU's secure execution mode. This mode ensures that the UTP Agent executes isolated from other software and successfully takes control of the user-centric I/O devices. The UTP Agent displays the message provided by the server (e.g., a transaction summary) to the user. Once the user has viewed the message and acted as required (e.g., confirmed their intention to submit the transaction), the UTP Agent assembles the necessary data to generate an attestation<br />
that these events transpired while in the secure execution mode. This information is cryptographically signed by a keypair that is accessible only while the isolated execution environment is active, in order to demonstrate its authenticity and integrity. The data and its signature are then sent to the server. The server can verify the signature with the provided<br />
and certified public key of the client platform, and subsequently verifies the attestation information in order to get<br />
assurance about the execution of the UTP Agent. Note that this is more than just TCG-style attestation. If the verification succeeds, the server knows that a uni-directional trusted path to the human user has been established and that the transaction can be processed.<br />
<br />
More information [<a href="http://www.marcel-winandy.de/papers/utp-dsn2011.pdf">Paper</a>] [<a href="http://de.slideshare.net/mwinandy/unidirectional-trusted-path-transaction-confirmation-on-just-one-device">Slides</a>]Marcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.com0tag:blogger.com,1999:blog-670589060781325848.post-54675657220514867972011-01-14T17:47:00.011+01:002014-01-16T15:34:41.107+01:00Trusted Virtual Domains on OpenSolaris: Usable Secure Desktop EnvironmentsThis is the title of a paper I wrote together with Hans Löhr, Thomas Pöppelmann, Johannes Rave, and Martin Steegmans (all from Ruhr-University Bochum). I presented the paper at <a href="http://stc2010.trust.rub.de/">ACM STC 2010</a> in Chicago last year. I think it's worth to share the main idea here, too. Moreover, below you find the links to the paper and the slides of my talk.<br />
<br />
Trusted Virtual Domains (TVDs) are a new framework for the implementation of secure multi-domain / single-infrastructure computer networks like centralized data centers or single organizational LANs that span over different physical places. A Trusted Virtual Domain is a set of virtual hosts that are distributed across multiple physical machines and that share a common security policy. Computational resources from different owners share the same physical infrastructure, while strong isolation is enforced between members of different TVDs by the underlying security framework.<br />
<br />
Since most existing TVD implementations are research prototypes, not available for the public, and focus on servers and data centers, there are only few efforts on secure desktop environments. To fill this gap, we present in this paper an open-source implementation of TVDs based on the OpenSolaris operating system. We leverage several of its existing features (e.g., lightweight virtualization, security labels and a secure graphical user interface) and extend OpenSolaris with components for automated management and policy enforcement to create a usable desktop implementation of TVDs. This includes the transparent encryption of external storage and home directories of users, restriction of copy-and-paste according to the TVD policy, efficient deployment of images for user environments, and a central management interface for the administration.<br />
<br />
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvaX6F36jx9gyp1zdq53Mtvmq_JakTiOMMhA3SZC5Ibjc1qb5dGGU5DogevXKD8utXP1gSn2HOiL9g6ARIpkjWVzKMPiK-sNrP_AV37jrVF7KJs9WEiX0eihYOPvUCI6snCyhWK6zLXye5/s1600/architecture.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 201px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvaX6F36jx9gyp1zdq53Mtvmq_JakTiOMMhA3SZC5Ibjc1qb5dGGU5DogevXKD8utXP1gSn2HOiL9g6ARIpkjWVzKMPiK-sNrP_AV37jrVF7KJs9WEiX0eihYOPvUCI6snCyhWK6zLXye5/s400/architecture.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5562088732290814530" /></a><br />
<br />
The picture above shows the architecture of our TVD on OpenSolaris implementation. The general idea of our architecture is to use the built-in lightweight virtualization features of OpenSolaris, i.e., the zones, to separate the different TVDs from each other. The global zone executes the necessary management code, and deploys and starts the virtualized environments (zones)<br />
representing a TVD. Our system relies on the OpenSolaris kernel which enforces and provides security features such as mandatory and discretionary access control. For intra-TVD communication, our TVD layer establishes logical links between the virtualized environments on different platforms that belong to the same TVD. This logical network is completely isolated from any network traffic from outside that TVD, thus establishing secure channels between the TVD members. The transmission of policies and keys, as well as management messages, is separated in another logical network which cannot be accessed by any TVD. This management network is also used for accessing the network storage that is provided to every user as persistent storage mechanism.<br />
<br />
OpenSolaris offers several interesting features, the most prominent ones we used are the filesystem ZFS for our zone image deployment, and the secure graphical user interface (Secure GUI). The screenshot below shows the graphical desktop environment with the trusted path functionality: The GUI system always shows to which TVD a window or virtual screen belongs to (<span style="color:red;">red TVD</span> or <span style="color:green;">green TVD</span> in this example), and this information cannot be faked as the top-most menu bar, the trusted stripe, is under control of the Secure GUI system. Applications running in the TVD zones cannot modify or fake this information.<br />
<br />
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmslp3SvEFTJs4WUwguBc2vrGRL6e0MAKQWQ_qLC-MYVM6_UuKeFGzHRIt-g7wfIGJqpSn-gvGnCQAs_bap-tmMaP01hklY0GzjyTFLn6Nbf5IaRaIlvtyMkCpE3uMGymyHDrpu3dfsQxu/s1600/TrustedDesktop.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 290px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmslp3SvEFTJs4WUwguBc2vrGRL6e0MAKQWQ_qLC-MYVM6_UuKeFGzHRIt-g7wfIGJqpSn-gvGnCQAs_bap-tmMaP01hklY0GzjyTFLn6Nbf5IaRaIlvtyMkCpE3uMGymyHDrpu3dfsQxu/s400/TrustedDesktop.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5562090115953598194" /></a><br />
<br />
In this work, we have shown that it is possible to implement TVDs for end-user desktop systems based on OpenSolaris. Our TVD framework features integrated management and transparent data encryption, an efficient deployment of zone images, and puts a particular focus on the ease of administration. Our implementation adds a TVD layer to the OpenSolaris system without any modification of the existing kernel or core security features. Demo videos and source code will be available on the <a href="http://www.trust.rub.de/projects/tvd-solaris/">project website</a>.<br />
<br />
<a href="http://www.marcel-winandy.de/papers/tvd-solaris-stc2010.pdf">Paper</a> | <a href="http://de.slideshare.net/mwinandy/trusted-virtual-domains-on-opensolaris-usable-secure-desktop-environments">Slides</a>Marcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.com0tag:blogger.com,1999:blog-670589060781325848.post-29490484252849244302010-12-20T17:19:00.003+01:002014-01-16T15:33:08.954+01:00A Note on the Security in the Card Management System of the German E-Health CardThis is a paper I wrote about the German E-Health Card ("Gesundheitskarte"), where I've analyzed the security implications of the Card Management System (CMS). I presented the paper at <a href="http://electronic-health.org/2010/index.shtml">eHealth 2010</a> in Casablanca, Morocco, last week. While previous work did a lot of security analysis concerning the German Healthcare Telematics infrastructure -- including network security, access control, peripheral parts, and platform security -- the card management system was neglected and got less or no notice from security experts. However, taking a closer look into the specifications from Gematik, one can find serious security flaws and conflicting requirements that ultimately lead to a loss of data sovereignty of the patient, i.e., the patient is not under control of his/her data stored in electronic health records (EHR) any more. The good news are that the deployment of the CMS and especially the EHR within the telematics is currently on hold. But the bad news are that the specification of the CMS is still in an insecure state and might be used in future when EHR systems are going to be deployed that use the eHC.<br />
<br />
From the abstract:<br />
The German compulsory health insurance system will introduce an electronic health card (eHC) in the near future. The eHC is supposed to enable new applications like securely storing electronic health records of patients in a central data center infrastructure so that health professionals can access these data via a common network. In this context, the card management system (CMS) is of special interest since it is used to personalize, issue, and maintain the cards. In this paper, we analyze the functional requirements specification of the CMS in Germany and identify several conflicting and ambiguous requirements. As the most important result, the specification defines technical measures that are insufficient to protect the data and data sovereignty of the patient. We discuss the resulting consequences, which might be helpful to improve the system design before its final deployment.<br />
<br />
More information: [<a href="http://www.marcel-winandy.de/papers/egk-cms-ehealth2010.pdf">Paper</a>] [<a href="http://de.slideshare.net/mwinandy/a-note-on-the-security-in-the-card-management-system-of-the-german-ehealth-card">Slides</a>]Marcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.com0tag:blogger.com,1999:blog-670589060781325848.post-67673949074957680022010-11-13T05:15:00.004+01:002014-01-16T15:32:37.351+01:00Securing the E-Health CloudThis is the title of a paper I wrote together with Hans Löhr and Ahmad-Reza Sadeghi. Today, I have presented it at <a href="http://ihi2010.sighi.org/">IHI 2010</a> in Arlington, Virginia, USA. In this paper, we point out several shortcomings of current e-health solutions and standards, particularly they do not address the client platform security, which is a crucial aspect for the overall security of e-health systems. To fill this gap, we present a security architecture for establishing privacy domains in e-health infrastructures. Our solution provides client platform security and appropriately combines this with network security concepts.<br />
<br />
We present two models of e-health clouds: a simple one pertaining Personal Health Records (PHRs), and an advanced one pertaining Electronic Health Records (EHRs). We point out the difference in the paper, and discuss three major security problem areas: (i) data storage and processing, (ii) infrastructure management, and (iii) usability.<br />
<br />
To solve on of the problems, i.e., that of client platform security, we propose to construct privacy domains for the patients’ medical data as a technical measure to support the enforce- ment of privacy and data protection policies: Systems (e.g., a client PC) must be able to partition execution environ- ments for applications into separate domains that are iso- lated from each other. Data is kept within a privacy domain, and the domain infrastructure ensures that only authorized entities can join this domain. Moreover, data leakage from the domain is prevented by the security architecture and the domain infrastructure. Therefore, the same system can be used for different work flows that are strictly isolated. The following picture shows the architecture:<br />
<br />
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqt2ZAREgvKqJV9DQDXNSjrN6Oij8DO2tg0q_x1pBrXK2cfZEfuriEKvrEeeB72yc9HRAGnn0LloFkOdtn5SMH0iXleLFF7ehRbLqt8DqYwOyJj7gwACS1K2kDD5kamrqDS-wmXcdjn0gD/s1600/privacy-domains.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 299px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqt2ZAREgvKqJV9DQDXNSjrN6Oij8DO2tg0q_x1pBrXK2cfZEfuriEKvrEeeB72yc9HRAGnn0LloFkOdtn5SMH0iXleLFF7ehRbLqt8DqYwOyJj7gwACS1K2kDD5kamrqDS-wmXcdjn0gD/s320/privacy-domains.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5538885030385376546" /></a><br />
<br />
Moreover, we discuss in the paper open research challenges in e-health scenarios, in particular those related to healthcare telematics infrastructures.<br />
<br />
[<a href="http://www.marcel-winandy.de/papers/ehealth-cloud-ihi2010.pdf">Paper</a>] [<a href="http://de.slideshare.net/mwinandy/securing-the-ehealth-cloud">Slides</a>]Marcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.com0tag:blogger.com,1999:blog-670589060781325848.post-77452968344018780762010-08-21T19:13:00.004+02:002014-01-16T15:36:38.979+01:00Patterns for Secure Boot and Secure Storage in Computer Systems<p>This is a paper I wrote together with Hans Löhr and Ahmad-Reza Sadeghi. It was presented at the SPattern 2010 workshop, co-located to the ARES 2010 conference. This paper describes two fundamental concepts of trusted computing in terms of security patterns, namely the <span style="font-weight:bold;">Secure Boot</span> pattern and the <span style="font-weight:bold;">Secure Storage</span> pattern. Although security patterns exist for operating system security, access control, and authentication, there have not been any on trusted computing particularly (to the best of our knowledge). Secure boot is at the heart of most security solutions and secure storage is fundamental for application-level security: it ensures that the integrity of software is verified before accessing stored data. Our paper aims at complementing existing system security patterns by presenting the common patterns underlying the different realizations of secure boot and secure storage.<br />
<br />
[<a href="http://www.marcel-winandy.de/papers/secureboot-securestorage-spattern2010.pdf">Paper</a>] [<a href="http://de.slideshare.net/mwinandy/patterns-for-secure-boot-and-secure-storage-in-computer-systems">Slides</a>]<br />
</p>Marcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.com0tag:blogger.com,1999:blog-670589060781325848.post-80831948499314698322010-08-20T01:16:00.005+02:002014-01-16T15:40:04.773+01:00A Pattern for Secure Graphical User Interface Systems<p><br />
This is a paper I wrote together with Thomas Fischer and Ahmad-Reza Sadeghi. It was presented at SPattern 2009 workshop in Linz. Several aspects of secure operating systems have been analyzed and described as security patterns. However, previous patterns do not cover explicitly the secure interaction of users with the user interface of applications. A secure user interface system has to provide a trusted path between the user and the application the user intends to use. The trusted path must be able to ensure integrity and confidentiality of the transmitted data, and must allow for the verification of the authenticity of the end points. Our paper presents a pattern for secure graphical user interface systems and evaluates its use in different implementations. This pattern shows how to fulfill the security requirements of a trusted path while preserving, in a policy-driven way, the flexibility that graphical user interfaces generally demand.<br />
</p><br />
<br />
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgred5l-6eSoWPvIKdrSj4KxAqxhRnlndtfd7Bx_ptCck0lAUIyx7-BK0ttd4xJ30mNKbHj_a8oQD9UecYID1ZKtAO2kTnrmEFwhsDaCWw4td0rL-IZ_CucaJaFLKqO9gQVrv-C-nxQH1W0/s1600/sui_pattern.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 345px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgred5l-6eSoWPvIKdrSj4KxAqxhRnlndtfd7Bx_ptCck0lAUIyx7-BK0ttd4xJ30mNKbHj_a8oQD9UecYID1ZKtAO2kTnrmEFwhsDaCWw4td0rL-IZ_CucaJaFLKqO9gQVrv-C-nxQH1W0/s400/sui_pattern.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5507265615876952098" /></a><br />
<br />
<p>The central idea is to mediate all user input/output through a Secure User Interface (SUI) system, and to separate the content drawn by applications from what is actually displayed on the screen. The SUI controls solely the graphics rendering hardware and the input events from the user input devices (typically, keyboard and mouse). The picture shows the participating elements. <br />
<br />
[<a href="http://www.marcel-winandy.de/papers/securegui-spattern2009.pdf">Paper</a>] [<a href="http://de.slideshare.net/mwinandy/a-pattern-for-secure-graphical-user-interface-systems">Slides</a>]<br />
</p>Marcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.com0tag:blogger.com,1999:blog-670589060781325848.post-45398937744698206522009-04-30T14:17:00.006+02:002009-04-30T14:45:35.147+02:00Videos on YouTube About Hacking Online Games Are Actually Phishing AttacksRecently, a member in an online game mentioned that his account was hacked. He said all his virtual items and virtual gold were lost. He was very angry because he found a video on YouTube describing how easy it is to hack accounts on that online game.<br /><br />So I also watched that video and quickly recognized that this was a phishing attack using social engineering tricks. Moreover, after a quick research on Youtube I discovered several such videos for different games. They all share a common pattern and trick the users to send their password to a certain e-mail address.<br /><br />Basically, all these videos promise something like "how to hack an account" or "how to get 1000 gold". They claim that they discovered a hidden function that usually would be used by the game masters of that online game. To activate the function, you would only need to send an e-mail with a certain structure to a particular e-mail address. Within those structures is always the account name and account password (that's the phishing indicator #1 - NEVER send passwords via e-mail somewhere!).<br /><br />Moreover, all those videos name as e-mail address to send the request for the hidden function some address which is never under the domain of the corresponding company developing or running the online game. Mostly, these are semi-anonymous e-mail address @gmx.net or @gmail.com (phishing indicator #2 - similar, but not exactly correct internet addresses).<br /><br />Here are some examples, just search on YouTube:<br />(Warning: Phishing attacks! Do not follow what they tell you!!)<ul><br /><li><b>Phishing</b> video "How to Scam an account on WoW!!!"</li><br /><li><b>Phishing</b> video "WoW Account Hack [Easy]" (german)</li><br /><li><b>Phishing</b> video "Herr der Ringe Online Account Hack [Easy]" (german) </li></ul><br />And there are even more. Some of them are online since two years and more! I can't believe this still works. But, like other Phishing in e-commerce and online banking, there are still a lot of people who are tricked by these attacks.<br /><br />I think it would be a good idea and help users to describe these attacks on the web sites of the online game manufacturers and also on the welcome screen when you log in to your account in the game. There are still people who do not understand these attacks -- we need to tell them!Marcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.com0tag:blogger.com,1999:blog-670589060781325848.post-79920340310965587902009-04-27T16:34:00.008+02:002009-04-27T16:57:48.051+02:00Trusted Privacy Domains -- Challenges for Trusted Computing in Privacy-Protecting Information SharingThis is a paper I wrote together with Hans Löhr, Ahmad-Reza Sadeghi, and Claire Vishik. It was presented at <a href="http://www.ispec2009.net/">ISPEC 2009</a> in Xi'an, China, two weeks ago. It is mainly a position paper about privacy challenges that could be solved with concepts based on trusted computing, especially so called Trusted Virtual Domains (TVD). Our main idea is to transform the TVD concept into an enforcement architecture for privacy policies. But in addition to discussing challenges and describing the idea, we also detail out some fundamental building blocks of TVD infrastructure, which has not been done before as to our knowledge. Namely, we describe the details of how to establish a member node of a TVD on a local platform, and how trusted computing functionality, such as provided by a TPM, is used in the protocols for TVD establishment.<br /><br />From the abstract:<br /><i><blockquote>In this paper, we propose a conceptual framework for user-controlled formal privacy policies and examine elements of its design and implementation. In our vision, a Trusted Personal Information Wallet manages private data according to a user-defined privacy policies. We build on Trusted Virtual Domains (TVDs), leveraging trusted computing and virtualization to construct privacy domains for enforcing the user's policy. We present protocols for establishing these domains, and describe the implementation of the building blocks of our framework. Additionally, a simple privacy policy for trusted privacy domains functioning between different organizations and entities across networks is described as an example. Finally, we identify future research challenges in this area.</blockquote></i><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZN6e8Kk795Unr1KiUvqJTGOXggDCOkc2YJRB1CQ0cOo_BUhqYsR1Pjd385-p1Bfc_1DTXIPg6RKvsaxhHFtWykrFs-kbdyfazWUna5ZvyjWR055qiboGiZOVqnn4IU4VXncRN1Al7OVXJ/s1600-h/tpi-wallet.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 181px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZN6e8Kk795Unr1KiUvqJTGOXggDCOkc2YJRB1CQ0cOo_BUhqYsR1Pjd385-p1Bfc_1DTXIPg6RKvsaxhHFtWykrFs-kbdyfazWUna5ZvyjWR055qiboGiZOVqnn4IU4VXncRN1Al7OVXJ/s400/tpi-wallet.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5329383430874207650" /></a><br /><br />We propose to support the enforcement of privacy policies by establishing trusted domains. These policies enables individual users or organizations to specify fine-grained instructions for the use of private information. To enforce policies, we propose a "guardian agent" for the user: a <i>Trusted Personal Information Wallet</i> that is transferable between platforms and performs "verification" of the trustworthiness of a remote IT system, i.e., compliance to a specified policy. The verification helps guarantee the enforcement of the user's privacy policy when sensitive information is transmitted.Marcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.com0tag:blogger.com,1999:blog-670589060781325848.post-71674232178418914102009-04-22T23:36:00.007+02:002009-04-23T00:22:46.579+02:00Does New Research on "Instant On" Computing Pose a Challenge on Trusted Computing?Trusted Computing in general, and in particular the TCG model, relies on a trusted bootstrap mechanism, i.e., authenticated or secure boot. Based on this mechanism, all other functions are built, e.g., attestation and sealing. Attestation allows a local or remote party to verify the booted configuration of system components (e.g., BIOS, bootloader, operating system, etc.). Sealing enables to encrypt data in such a way that it can only be decrypted when the system has booted in the same constellation as at the time of encryption of the data.<br /><br />Now, <a href="http://www.nsf.gov/news/news_summ.jsp?cntn_id=114612">recent research in transistor technology</a> paved the way for computer systems that would be "instant on", meaning, they would not need to boot, they would be available instantly on power-on. This research has added so-called ferroelectric capabilities to standard computer transistors. Materials with such capabilities can be found, e.g., in smart-cards.<br /><br />But if we have computers that do not need to boot at startup, a trusted bootstrap mechanism will be meaningless. If a computer system is instantly on, maybe exactly in the same state as left at last usage (similar to suspend and resume functionality), we cannot verify the current state via attestation. What should be attested? The configuration the system was originally bootstrapped, possibly months ago? No, that would not help to make any judgement about the trustworthiness of a computer's state.<br /><br />Fortunately, there are already some techniques available to handle such situations. For example, Intel's Trusted Execution Technology (TXT) includes a so-called Dynamic Root of Trust for Measurement (DRTM). This DRTM allows to "boot" small pieces of code or entire new operating systems during runtime, and takes the measurement of the loaded code to store it in a protected place of a TPM chip. With that mechanism one can reliably check the state of that loaded code. After execution of that code, the system returns to the original state before calling the DRTM.<br /><br />However, it would not be of practical use to always start a new OS because that would introduce new time to wait for startup, which we just wanted to reduce with "instant on" systems. Instead, it would be better to just start small pieces of application code directly with that method, as was demonstrated by the <a href="http://sparrow.ece.cmu.edu/group/flicker.html">Flicker</a> project on newer AMD64 processors. One drawback of this method is, though, that the original system is "halted" while the specific application code is executed that was started via DRTM. Thus, in order to use, e.g., operating system services, the system has to "switch back" to the original state, and then restart the application via DRTM again, and so on. This introduces new costs of "context switches", which are much higher than normal process context switches.<br /><br />To conclude, it is important to think about alternative ways of realizing attestation and sealing without relying on authenticated boot methods. I think runtime integrity monitoring seems to be the answer to that question. But, although there are some promising approaches, this is an unsolved problem yet.Marcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.com0tag:blogger.com,1999:blog-670589060781325848.post-44805040259777063992009-04-20T18:37:00.005+02:002014-01-16T15:54:06.833+01:00Modeling Trusted Computing Support in a Protection Profile for High Assurance Security Kernels<div xmlns="http://www.w3.org/1999/xhtml"><p style="margin-bottom: 0cm;">This is a paper I wrote together with Hans Löhr and Ahmad-Reza Sadeghi (RUB), Christian Stüble (Sirrix), and Marion Weber (BSI). Two weeks ago I presented the paper at <a href="http://www.softeng.ox.ac.uk/trust2009/">Trust 2009</a> conference in Oxford, UK.</p><p style="margin-bottom: 0cm;">Abstract of the paper:</p><blockquote><i>This paper presents a Common Criteria protection profile for high assurance security kernels (HASK-PP) based on the results and experiences of several (international) projects on design and implementation of trustworthy platforms. Our HASK-PP was motivated by the fact that currently no protection profile is available that appropriately covers trusted computing features such as trusted boot, sealing, and trusted channels (secure channels with inherent attestation).</i></blockquote><blockquote><i>In particular, we show how trusted computing features are modeled in the HASK protection profile without depending on any concrete implementation for these features. Instead, this is left to the definition of the security targets of a an IT product which claims conformance to the HASK-PP. Our HASK protection profile was evaluated and certified at evaluation assurance level five (EAL5) by the German Federal Office for Information Security (BSI).</i></blockquote><p style="margin-bottom: 0cm;">The HASK protection profile itself can be downloaded from the Sirrix homepage: <a href="http://www.sirrix.de/media/downloads/58389.pdf">http://www.sirrix.de/media/downloads/58389.pdf</a></p></div><br />
[<a href="http://de.slideshare.net/mwinandy/modeling-trusted-computing-support-in-a-protection-profile-for-high-assurance-security-kernels">Slides</a>]Marcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.com0tag:blogger.com,1999:blog-670589060781325848.post-41452925023687684932008-09-18T23:00:00.025+02:002009-02-24T00:25:32.133+01:00Information Security Conference (ISC 2008) Day 3The last day of the conference included again several talks on cryptography, hash functions, and related stuff. However, there were a few talks on system security and authentication, too.<br /><br /><h4>Xuhua Ding: Proxy Re-Signatures in the Standard Model</h4>This talk discussed signature schemes with a proxy that re-signs messages. In proxy re-signature schemes, the proxy cannot sign arbitrary messages, instead the proxy needs an "allowance" of the original signer to do so. The signatures are indistinguishable, i.e., one cannot distinguish whether party A (the original signer) or party B (the proxy) has signed the message. Technically this works as follows: there are two additional operations (besides KeyGen, Sign, Verify as usual): ReKey and ReSign. The ReKey operation takes as input asymmetric key pairs of A and B, and outputs a new key for B. This key transforms A's signature into that of B. The ReSign operation takes this key and the old signature, and outputs a new signature which can be verified by the same public key.<br /><br />An attack (key recovery attack) on an existing scheme in the random oracle model was shown, and a new scheme (Homomorphic Compartment Signatures) was presented which the authors claim to be secure in the standard model. (<a href="http://isc08.twisc.org/slides/S6P1_Proxy_Re-Signatures_in_the_Standard_Model.pdf">slides</a>)<br /><br /><i style="color: rgb(102, 102, 102);">I wonder whether these proxy re-signature schemes can be used for signing credentials of a virtual TPM (vTPM)? Since the vTPM does not have a vendor certificate for its endorsement key (vEK), it cannot request certificates for its attestation identity keys (vAIK) directly. But what if the hardware TPM signs with its AIK the vAIK of the vTPM, and a Proxy has the transformation key to make vAIK and AIK signatures indistinguishable? The vTPM could sign vPCRs with its vAIK, and the Proxy could transform the signature as if it was signed by the real TPM, hence, letting verifiers use the AIK certificates to verify the signature!? Well, just a rough idea...</i><br /><br /><h4>David Champagne: The Reduced Address Space (RAS) for Application Memory Authentication</h4>This talk presents a new method for application memory authentication, i.e., the procedure that an application can verify what it reads from memory is what it has written there before. The approach assumes the CPU and the application as being trusted, and that an on-chip engine can authenticate the initial state of the application (David mentioned TPM, XOM, AEGIS, SP, and SecureBlue as such related works). Existing approaches use hash trees to verify the memory integrity: data blocks and the hash tree are on off-chip RAM, the root hash is on-chip. Hash trees on the physical address space (PAS) are insecure because of a so-called "branch splicing attack" (in an untrusted OS: possible substitution of data blocks via page table corruption). Hash trees on the virtual address space (VAS) are impractical because they are too wide.<br /><br />In the proposed RAS tree, the data blocks (leaf nodes) are address ranges of used memory regions only (contents of code, data, heap, and stack). When new memory pages are touched, a partial tree is constructed, and the RAS tree is expanded, i.e., the old tree is "merged" with the partial one.<br /><br />RAS trees are resistant against branch splicing attack. But they require additional hardware: a Tree Management Unit (TMU) and a hash engine. The TMU is located between TLB/cache and bus controller. The prototype does not support shared memory yet (e.g., necessary for shared libraries). (<a href="http://isc08.twisc.org/slides/S6P3_The_Reduced_Address_Space_%28RAS%29_for_Application_Memory_Authentication.pdf">slides</a>)<br /><br /><i style="color: rgb(102, 102, 102);">While the approach of RAS trees is very interesting and the technique behind seems sound, the underlying assumption of operating the application on an untrusted operating system is somehow strange and artificial. So, the application can now verify the integrity of its memory. But in reality, an application needs a lot services from the OS, e.g., I/O, libraries, resources like files, etc. But if the OS is untrusted, why care about memory integrity? The application would not be able to communicate its operational results to some other subject (either processes or the user) because therefore it would need the services of the OS, which are untrusted by assumption. I think this seems only usable for a limited range of applications (e.g., on special-purpose devices, embedded systems or alike).</i><br /><br /><h4>Ersin Uzun: HAPADEP - Human-Assisted Pure Audio Device Pairing</h4>This talk presented the HAPADEP system, a way to pair devices (e.g., bluetooth phone and headset) via audio a human person can control. The public keys for the cryptographic pairing are encoded as audio streams, and played and recorded on each device. In the verification phase, the devices play an audio encoding of the digest of the exchanged keys, and the user has to compare the audio samples. What the user hears can either be a melody or a (grammatical correct, but non-sense) English sentence. Results of a (small) usability study showed that sentences are more convenient for the verification phase. (<a href="http://isc08.twisc.org/slides/S9P1_HAPADEP_Human-Assisted_Pure_Audio_Device_Pairing.pdf">slides</a>)<br /><br /><h4>Cormac Herley: One-Time Password Access without Changing the Server</h4>This was about web authentication using a proxy. The proxy has a set of symmetric encryption keys <i>ek<sub>1</sub></i>,...,<i>ek<sub>n</sub></i>. The user has to compute encrypted passwords <i>E(pwd,ek<sub>1</sub>)</i>,...,<i>E(pwd,ek<sub>n</sub>)</i> on a trusted machine and store the resulting list, e.g., on a mobile phone. The Proxy redirects URLs (e.g., paypal.urrsa.com) to avoid any proxy configuration in the web browser, hence, the proxy has a fixed address (<a href="http://www.urrsa.com/">urrsa.com</a>). The user enters an encrypted password in the web browser, which sends it to the proxy. The proxy decrypts the password and inserts the clear-text password in the original login site.<br /><br />The approach assumes DNS works correctly (i.e., no protection against DNS poisoning). Moreover, it does not bind the passwords/keys to any URLs or SSL certificates. The proxy just decrypts the password and sends it to the web site, configured in the mapping of, e.g., paypal.urrsa.com to www.paypal.com website. Users have a transparent usage experience, except that all (security-sensitive) URLs are now of the form <i>*.urrsa.com</i>. (<a href="http://isc08.twisc.org/slides/S9P2_One-Time_Password_Access_without_Changing_the_Server.pdf">slides</a>)<br /><br /><h4>Cormac Herley: Can "Something You Know" be Saved?</h4>Cormac Herley gave another talk, this time he questioned whether there is a fundamental problem with challenge-response protocols for web authentication. Based on the attack model that an adversary can observe anything on a PC (e.g., due to malware, keylogger, etc.), and that the adversary can observe login attempts many times, one can simply imply that it is generally not a good idea to enter passwords in clear-text on untrusted machines. Instead, users should perform challenge-response protocols where they do not reveal the secret. They enter some value computed by a response function that takes the secret and a challenge as input. However, this scheme is constrained by the human capabilities of memorizing bits and doing computations in head.<br /><br />Framed by these conditions, it is analyzed what effects it has when parameters of generic challenge-response protocols are modified, e.g., number of bits of secret that are necessary for every response bit. This results in a generic brute force attack: secrets that are close (differ only in a few bits relevant for responses) do have closes responses, and this allows to easily find values that are close to the secret. In other words, the adversary does not need to know the whole secret, but instead only those bits that are relevant to compute valid responses. (<a href="http://isc08.twisc.org/slides/S9P3_Can_Something_You_Know_be_Saved.pdf">slides</a>)Marcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.com0tag:blogger.com,1999:blog-670589060781325848.post-80290984091910181512008-09-17T23:00:00.003+02:002009-02-21T21:13:29.835+01:00Information Security Conference (ISC 2008) Day 2The second day had only cryptanalysis talks on the agenda. So I decided to do some other work. In the afternoon, there was a tour to the Taiwan National Palace Museum. On the ISC08 website you can find <a href="http://isc08.twisc.org/photo_index_917_4.php">photos from the museum tour</a>. In the evening, there was the gala banquet, for which you can also have a look on some <a href="http://isc08.twisc.org/photo_index_917_5.php">photos</a>Marcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.comtag:blogger.com,1999:blog-670589060781325848.post-15728528862860748392008-09-16T23:00:00.008+02:002009-02-21T21:13:16.516+01:00Information Security Conference (ISC 2008) Day 1The 11th Information Security Confernce (ISC 2008) was held in Teipei, Taiwan. This is a short summary of some presentations I attended.<br /><br /><h4>Marcel Winandy: Property-Based TPM Virtualization</h4>This was actually my presentation. See my older <a href="http://winandy.blogspot.com/2008/06/property-based-tpm-virtualization.html">post</a> and my <a href="http://isc08.twisc.org/slides/S1P1_Property-Based_TPM_Virtualization.pdf">slides</a><br /><br /><h4>Endre Bangerter: A Demonstrative Ad Hoc Attestation System</h4>The proposal is to use a trusted device for ad hoc attestation of computing platforms, i.e., showing to the user "PC is ok" or "PC is not ok". It is a server-based approach, where the server sends remote procedure call (RPC) to the PC, and the PC displays flickering barcods on the screen. The trusted device is hold in front of the screen and receives the RPC, i.e., decodes the barcode. Finally, the device displays whether PC is OK nor not.<br /><br />The decision the device displays is actually based on a remote attestation done between the server and the PC. The trusted device is just used as local "trusted display" of the remote server. For each attestation, the flickering barcode will be different (i.e., includes a counter value) to prevent simple replay attacks. (<a href="http://http//isc08.twisc.org/slides/S1P2_A_Demonstrative_Ad-hoc_Attestation_System.pdf">slides</a>)<br /><br /><h4>Hans Löhr: Property-Based Attestation without a Trusted Third Party</h4>This is an improved protocol for property-based attestation. Instead of having a Trusted Third Party (TTP) issuing certificates for properties, the verifier has <i>a-priori</i> a list of configurations. The attestee creates a proof that its configuration is within a defined list of configurations, without revealing which exact configuration it has. The proof is based on group signatures (ring signature scheme) without revealing the secret key used to sign the commitment. (<a href="http://isc08.twisc.org/slides/S1P3_Property-Based_Attestation_without_a_Trusted_Third_Party.pdf">slides</a>)<br /><br /><h4>Xuhua Ding: An Efficient PIR Construction Using Trusted Hardware</h4><br />Paper about private information retrieval. Improves reshuffeling of database form <i>O(n)</i> to <i>O(sqrt(n))</i>. Records are colored black and white. On each query, they fetch two records of different colors. Retrieved records are colored black. Shuffeling is done only on black ("touched") records. (<a href="http://isc08.twisc.org/slides/S2P1_An_Efficient_PIR_Construction_Using_Trusted_Hardware.pdf">slides</a>)<br /><br /><h4>Charalampos Papamanthou: Athos - Efficient Authentication of Outsourced File Systems</h4>Outsourced filesystems means they are stored on a server. The server is completely untrusted (i.e., there is no trusted hardware on the server side). Accessing the files are queries to the server, and accompanied by a "proof" of authenticity, both for file system content and hierarchy. This proof is based on cryptographic hashing, and uses authenticated skip lists and authenticated dynamic trees. It is an efficient scheme (similar to Merkle hash trees), the client only has to maintain a <i>O(1)</i> trusted storage. Query operations have <i>O(k log n)</i> time. (<a href="http://isc08.twisc.org/slides/S2P2_Athos_Efficient_Authentication_of_Outsourced_File_Systems.pdf">slides</a>)Marcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.comtag:blogger.com,1999:blog-670589060781325848.post-42059173886050565442008-06-27T13:45:00.004+02:002014-01-16T15:44:38.827+01:00Property-Based TPM VirtualizationThis is the title of paper I have written together with Ahmad-Reza Sadeghi and Christian Stüble. We will present it at the 11th Information Security Conference (<a href="http://isc08.twisc.org/">ISC 2008</a>) in Taipei, Taiwan. I will also give a presentation about it at the <a href="http://www.hgi.rub.de/hgi/hgi-seminar/">HGI Seminar</a> at Ruhr-University Bochum on 10th July 2008.<br />
<br />
Virtualization and hypervisors enable useful and cost-efficient means to manage IT infrastructure, especially migration of virtual machines (VMs) between hardware platforms. A challenge in this context is the virtualization of<br />
hardware security modules like the Trusted Platform Module (TPM) since the intended purpose of TPMs is to securely link software and the underlying hardware. Existing solutions for TPM virtualization, however, have various<br />
shortcomings that hinder the deployment to a wide range of useful scenarios. In our paper, we address these shortcomings by presenting a flexible and privacy-preserving design of a virtual TPM that in contrast to existing<br />
solutions supports different approaches for measuring the platform's state and for key generation, and uses property-based attestation mechanisms to support software updates and VM migration. Our solution improves the maintainability and applicability of hypervisors supporting hardware security modules like the TPM. The following figure shows the design.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgftahZHl8Xc4Pa-6h0ay0Lgwp7YJfb6mvstyMVxReat4A-4yT6arhF3wdweNE9ofAJqfK66bXUp1lZ9LHiJCyTub-L1kmWNkhzZLsLIXJ2-_lRNkyZHmIa9T2hcjML5SRv0We-lM54fYW0/s1600/vTPM-architecture.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgftahZHl8Xc4Pa-6h0ay0Lgwp7YJfb6mvstyMVxReat4A-4yT6arhF3wdweNE9ofAJqfK66bXUp1lZ9LHiJCyTub-L1kmWNkhzZLsLIXJ2-_lRNkyZHmIa9T2hcjML5SRv0We-lM54fYW0/s400/vTPM-architecture.png" /></a></div><br />
For each VM that needs a vTPM, there is a separate vTPM instance. We assume the underlying hypervisor to protect the internal state and operations of each vTPM from any unauthorized access. The main building blocks of our vTPM are the following: <i>PropertyManagement</i> represents the virtual PCRs and manages different mechanisms to store and read measurement values; <i>KeyManagement</i> is responsible for creating and loading keys; <i>vTPMPolicy</i> holds the user-defined policy of the vTPM instance, defining which properties are going to be revealed during an attestation operation; <i>CryptographicFunctions</i> provide monotonic counters, random number generation, hashing, etc.; <i>MigrationController</i> is responsible for migrating the vTPM to another platform.<br />
<br />
To improve flexible migration and to preserve the availability of sealed data after migration or software updates, an essential step is to support other measurement strategies. Applying property-based measurement and attestation to a vTPM allows much more flexibility in the choice of the hypervisor and for easier updates of applications -- a VM can still use sealed data or run attestation procedures if the properties of the programs remain the same.<br />
<br />
Our vTPM design is based on a plug-in-like architecture for various vPCR extension strategies. Each extension strategy is realized by a <i>PropertyProvider</i> module implementing different <i>translation</i> functions. A translation function translates measurements (i.e., hash values of program binaries) into property representations. Each PropertyProvider has its own vector of virtual PCRs. Thus there is a matrix of vPCR values for each vTPM. This allows us to choose, according to the vTPM policy, which PropertyProvider to use on particular sealing or attestation operations.<br />
<br />
Depending on the implementation of the PropertyProvider, we can realize property-based sealing and property-based attestation without any change to the interface of the vTPM from the perspective of the associated VM. This enables the availability of protected data and cryptographic keys of the vTPM after migrating to another platform that provides the same security properties but may have a different binary implementation. TPM-enabled applications executed in a VM can directly profit from this flexibility without the need for modification.<br />
<br />
[<a href="http://de.slideshare.net/mwinandy/propertybased-tpm-virtualization">Slides</a>]Marcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.com1tag:blogger.com,1999:blog-670589060781325848.post-30259027022778484712008-06-14T00:22:00.004+02:002008-06-14T00:54:18.278+02:00Tools for Maintaining a Personal Research JournalTo keep a journal of research activities, especially when studying for a PhD, is generally considered a good idea (see for example desJardins' guide <a href="http://www.cs.umbc.edu/~mariedj/papers/advice.ps">How to Succeed in Graduate School</a>). Such a journal helps to organize ideas, to record the progress of research, and to leverage building new ideas. On the web, you can find also other guidelines which give more examples what to include in the journal, e.g., <a href="http://www.vendian.org/mncharity/dir3/research_notebook/">Notes on the Personal Research Notebook / Journal</a>.<br /><br />While I used such a journal concept intuitively during my diploma thesis, I wrote it on separate sheets of papers which I transformed later into the written thesis. This worked out very well at that time and on that project. However, now I want to use a tool which can automate those time-consuming things like searching and copy&paste. Today, I have several subprojects and small parts which are sometimes (at least at the beginning) very unrelated. Using a paper notebook as a journal would not be very efficient. So, I wondered which software tools would work out as a research journal for a PhD.<br />I have tried out several tools, starting from simple text files to journal and todo list functions in KDE Kontact. But the information is still scattered throughout several files on my disk in several different formats (text files, LaTeX files, OpenOffice files, pictures, etc.). I need something that can combine everything and provides a fast search and kind of sorting function (like tagging in Web 2.0 applications).<br /><br />Finally, I have found two applications which are suiteable for this task: <a href="http://journler.com/">Journler</a> for Mac OS X. This is <i>exactly</i> what I needed. You can enter journal entries in chronological order, add tags, pictures, URLs, PDFs, whatever. When you click on a tag, Journler automatically shows up a list of all entries with this tag. And of course, it makes use of the fast search engines of Leopard to quickly scan your entries for keywords. This is great!<br /><br />Unfortunately, I have to work on a PC laptop at work. So I can't use Journler there. But I have something similar: <a href="http://basket.kde.org/">BasKet Note Pads</a> for KDE on Linux. It has similar functionalities, and I have started to use it. One good feature I noticed: you can import notes from KNotes and simple text files (now it pays back to have used text files!*g*).Marcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.com0tag:blogger.com,1999:blog-670589060781325848.post-61699071118938464052007-11-28T18:31:00.001+01:002008-06-14T00:54:40.690+02:00RapidWeaver and RapidBlogI have begun to use RapidWeaver as web development tool. Although it is only available for Mac, I did not find any similar tool for Linux or even Windows. RapidWeaver works and looks like iWeb, the Apple web-site tool in the iLife package. It is very easy to create a web site with navigation bar, blog, picture gallery, etc. It supports themes, which are actually stylesheet packages including background images and the like.<br /><br />RapidWeaver also supports Add-on. There is one interesting add-on I have found: RapidBlog. This add-on extends the blogging module of RapidWeaver with synchronization of a Google Blogger (Blogspot) account. This is very nice since it allows you to write your blog posts online on any web browser and system, using the Blogger web interface. But you can still write and manage your posts in the RapidWeaver application.<br /><br />Now, there is one interesting question: Does RapidBlog automatically synchronize the Blog when you write a new post on the Google Blogger web interface or do you need to run the sync within RapidWeaver manually?<br /><br /><strong>Update:</strong> Yeah, this works automatically! Thanks to the PHP script, this site automatically includes the latest posts from the original Blogspot site.Marcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.com0tag:blogger.com,1999:blog-670589060781325848.post-55294753705455072732007-10-19T19:04:00.000+02:002007-11-28T16:08:43.607+01:00Holisticly provide access<blockquote>“Bonjour: Holisticly provide access to ethical communities vis-a-vis client-focused.”</blockquote>Funny description of network technology. This was posted on the Apple website announcing the new Mac OS X Leopard. But they have changed the text now… :-)<br /><br />See also:<br /><a href="http://www.codingmonkeys.de/map/log/articles/2007/10/16/holisticly-provide-bullshit-buzzwords">Martin Pittenauer’s blog</a> or the various links you can find using the Internet search engine of your choice.Marcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.com0tag:blogger.com,1999:blog-670589060781325848.post-89850351054455360582007-07-16T19:00:00.002+02:002014-01-16T15:56:55.778+01:00Compartmented Security for Browsers - Or How to Thwart a Phisher with Trusted ComputingThis is the title of a paper written by Sebastian Gajek, Ahmad-Reza Sadeghi, Christian Stüble, and me. We already presented and published it at the Second International Conference for Availability, Reliability and Security (<a href="http://www.ares-conference.eu/">ARES 2007</a>). It is an improved version of the paper “Towards Multicolored Computing”, which I previously announced here. Our approach is based on the ideas of compartmentalization (for isolating applications of different trust level) and a trusted wallet (for storing credentials and authenticating sensitive services on behalf of the user). However, we do not rely on a trusted browser this time. The following figure shows our basic architecture.<br />
<br />
<img src="http://www.winandy.de/marcel/research/images/wallet-architecture.png" /><br />
In this paper, we show that the wallet can handle the whole authentication process mutually after it has been setup by the user once. We also improved the setup procedure by cryptographically embedding a web site-bounded random value into the account password. This value is unknown to the user. On the one hand, we prevent that the user applies low-entropy passwords to set up an account. On the other hand, we ensure that the user does not use the same password for different accounts.<br />
<br />
To realize a transparent usage and in order to provide a safe environment during the account setup, the wallet also works as a network proxy. Hence, the wallet must be capable to parse HTML web sites and to react accordingly, e.g., by initiating the setup procedure.<br />
<br />
To protect the confidentiality of the user’s credentials, we use the sealing functionality of a Trusted Platform Module (TPM): We bind the secret data to the integrity measurements of the wallet and the underlying security kernel. This means, the credentials are encrypted using a key that never leaves the TPM, and the decryption is only possible if the same measurement values are logged into the TPM during the boot process as they were taken at encryption time.<br />
<br />
More information [<a href="http://www.hgi.rub.de/media/hgi/files/weitere/hgi-tr-2007-001.pdf">Technical Report</a>] [<a href="http://de.slideshare.net/mwinandy/compartmented-security-for-browsers">Slides</a>]Marcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.com0tag:blogger.com,1999:blog-670589060781325848.post-42582112947353686492007-03-19T18:30:00.000+01:002007-11-28T15:55:04.014+01:00CeBIT 2007On Saturday I took my annual trip to Hannover to visit the CeBIT trade fair. I just want to give my impressions what I have found to be interesting there.<br /><h4>Plasma TVs can have lower power consumption than LCD TVs</h4>This is quite interesting since people still believe Plasma TVs have a high power consumption. However, in contrast to LCD TVs, which always have a constant power consumption (about 160-240 W, depending on the model), Plasma TVs can very in their consumption depending on the current image to display. If the image is very bright, e.g., a white screen or a snow landscape, Plasma TVs have a high power consumption (let’s say 200 W, depending on the model of course). But if the image is dark, e.g. black screen or a night scene in a movie, Plasma TVs consume very less than their maximum consumption (e.g., 60 W only). So, depending on your TV watching habits, a Plasma TV might even save energy compared to a LCD TV!<br /><h4>Mobile phones for older people become more usable and cheaper</h4>I discovered a mobile phone which was especially designed for older people. The <a href="http://www.emporia.at/">“emporiaLife”</a> phone has larger buttons than usual phones, a large display that shows the dialed numbers much bigger, and a special emergency button, which you only have to press to get connected to a number you have previously defined (there can be up to five different emergency numbers). The device is dual-band, can send and receive SMS, and has included a flashlight. At the booth they told me the price will be about 200 Euros.<br /><h4>Car navigation devices get more functionality</h4>There seems to be the trend to integrate a variety of functionality into car (or mobile) navigation devices. I have seen the integration of DVB-T TV or Bluetooth connection to mobile phones at several vendors. One example is <a href="http://www.naviflash.de/">Naviflash</a>. Some interesting detail I have also discovered: Naviflash has a flexible bracket with some kind of “ground support” to stabilize the device when attached at the windshield.<br /><h4>Digital picture frames</h4>A lot of vendors now offer digital picture frames, for instance <a href="http://monitor.samsung.de/subtype_com_related_photoframe.asp">Samsung</a> and its <a href="http://monitor.samsung.de/article.asp?artid=87F01DE8-C824-4A71-83A2-9C44D5B06435">SPF-07N</a>. A digital picture frame displays a digital photo, similar as a normal “hard-cover” picture frame. But a digital picture frame can store several pictures and display them alternately, e.g., changing them periodically or at command. This might become a new big trend; at least if prices are acceptable.<br /><h4>“I’ll call you by trousers”</h4>In the Future Parc, they showed (amongst others) smart textiles. These are clothes which integrate some digital functionality, usually control panels for electronic devices. Funny example: leather trousers with a control panel for a mobile phone. :-)Marcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.com0tag:blogger.com,1999:blog-670589060781325848.post-6468430219273543352007-01-07T19:46:00.000+01:002007-11-28T15:47:47.224+01:00Phishing Attacks Predicted among Top Security Threats for 2007On <a href="http://www.technewsworld.com/story/54924.html">TechNewsWorld</a>, there is an article about the prediction of the top security threats for the year 2007. Most of the predicted attacks mentioned are related to phishing attacks and identity theft. The prediction is given by the companies McAcfee and MessageLabs. Besides faked Web sites that try to steal passwords, more and more phishing attacks will use malware to achieve their goals, e.g., malicious code distributed through video files, spoofing of IM (instant messaging) identities. Interestingly, they also predict phishing attacks through VoIP (voice over IP) using spoofed phone calls.Marcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.com0tag:blogger.com,1999:blog-670589060781325848.post-20244436680938536252006-12-23T18:40:00.000+01:002007-11-28T15:45:33.187+01:00Security by ConfigurationThere is an interesting article on Linux.com about configuration-centered security, <a href="http://specialreports.linux.com/specialreports/06/12/08/1929225.shtml?tid=137&tid=129&tid=35">“Configuration: The Forgotten Side of Security”</a> (by Bruce Byfield). Whereas most security products on the market follow the approach of reactive security (e.g., anti-virus scanners, patches), a proactive approach includes security aspects in the design and installation of a computer system. Intuitively, taking security into account right from the start should be the better approach because design flaws in a software architecture are harder to fix later. The article gives some hints why the computer industry has not followed this approach. One reason mentioned is the tradeoff between security and convenience. But counter-examples are given (for instance, Mac OS X *g*), and an IT professional is cited that “usability and security are not mutually exclusive”. And I think that is absolutely right.<br /><br />The article lists the basic goals of system configuration, which are derived from basic security principles (e.g., least privilege, containment, etc.):<br /><span style="font-style:italic;"><blockquote><ul><br /><li>Build for a specific purpose and only include the bare minimum needed to accomplish the task.</li><br /><li>Protect the availability and integrity of data at rest.</li><br /><li>Protect the confidentiality and integrity of data in motion.</li><br /><li>Disable all unnecessary resources.</li><br /><li>Limit and record access to necessary resources.</li><br /></ul></blockquote></span><br />I think these goals should be applied especially for online banking applications in the context of phishing attacks. Having full-featured, complex web browser applications seems not to be the right basis for such tasks, does it? Well, maybe the idea of browser compartments is a good starting point…Marcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.com0tag:blogger.com,1999:blog-670589060781325848.post-55919310708149012022006-10-07T20:00:00.001+02:002008-06-14T00:56:03.934+02:00Towards Multicolored Computing - Compartmented Security to Prevent Phishing AttacksThis is a paper that I have written together with Sebastian Gajek, Ahmad-Reza Sadeghi, and Christian Stüble. I have presented the paper at the 1st Benelux Workshop on Information and System Security (<a href="http://www.cosic.esat.kuleuven.be/wissec2006/">WISSec 2006</a>) in Antwerpen, Belgium, last month. The paper aims at making the first steps towards the design and implementation of an open source and interoperable security architecture that prevents both classical phishing (e.g., e-mails luring unaware users to faked web sites) and the new emerging malware phishing, i.e., malicious software specifically tailored to certain services.<br /><br />Our approach is based on the ideas of multicolored computing (e.g., red for the risky and green for the trusted domain), and a trusted wallet for storing credentials and authenticating sensitive services. Our solution requires no special care from users for identifying the right web sites while the disclosure of credentials is strictly controlled. In the paper we present the main idea of how to integrate countermeasures against phishing and malware into one sound security architecture. We also briefly sketch how to implement this architecture based on the <a href="http://www.perseus-os.org/">PERSEUS security framework</a>, which utilizes Trusted Computing functionality and virtualization. The former is used to preserve system integrity, and the latter provides compartment isolation and software re-use.<br /><br />To establish a trusted path to the trusted wallet we make use of the Secure GUI subsystem that is developed by the <a href="http://www.emscb.de/">EMSCB</a> project for the PERSEUS system. the Secure GUI subsystem provides to each compartment an isolated graphics framebuffer, which are then multiplexed or switched to on the screen. To enable the user to authenticate the currently displayed compartment, the Secure GUI has a reserved area on the screen to which no compartment has access. The Secure GUI displays the compartment identifier and the color indicating a trusted (green) or untrusted (red) compartment there.<br /><br />You can <a href="http://www.cosic.esat.kuleuven.be/wissec2006/papers/14.pdf">download the paper</a> as PDF.Marcel Winandyhttp://www.blogger.com/profile/04274136859732012237noreply@blogger.com0